Black Hat 2008: What’s next for Firefox security

Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.

Post navigation

23 thoughts on “Black Hat 2008: What’s next for Firefox security”

Whoa, noscript in the core? That would be seriously awesome and bypass some of the dance the extension has to do to get it to work (though ff3 improved things). I wonder if they’re going to make adblock+ features more integrated — blocking things from known-bad and user-defined hosts would be much easier that way. in fact, that could replace the first few extensions that I install before I actually use the browser…

Uh… seriously: What role does the race play here? If you said “None”, you got it right.

Now, adding security is a good thing. But IMHO the mozilla project should also pay attention to quite some other things, e.g. stability, speed, memory consumption, protection against badly written extensions and plugins, proper multithreading, …

[tjhooker]: she has a pretty and black face, and those are valid observations. your objection is inappropriate.

what you seem to be objecting to is the _mention_ of and idea of conciousness about skin color, spurred by a common-sense connection between article title and picture. you call that racist, despite the lack of any judgment on any property of the person so far beside the compliment.

this isn’t vaudville “black face” impersonation. this isn’t that context. in another context, calling you a canine would be a prelude to violence and showing the sole of my foot a digusting display of disrespect.

any physical response can be justified if intent is deemed equivalent to imaginary offense. however, they are not the same. so until you actually _ask_ whether [joesph-walton] had ulterior meanings, try not assigning some of your own for irrelevant purposes.

The person directly associated it with the fact “black” was in the name of the event she attended, and then followed it with “more like black face… am i rite?”.

This isn’t rocket science, or even advanced linguistics.

I’d like to throw down some triple syllable words to really set it in stone, but it’s just racism under every context of ever written and spoken language. Excusing it is kind of instigating trolling and repetitive explanations of core language skills.

Matasano Security is the firm that ‘accidentally’ leaked the DNS exploit details on their blog and then pulled it down and apologized, saying they meant to “only post it after someone ELSE leaked it”, right?

great…now firefox is gonna get a LeakThis! button right next to the Home button that autoposts stuff from your email account to your blog with no confirmation.

Like I said this isn’t advanced linguistics. The way they phrased it doesn’t fit any other context. If it does then please enlighten me on what that is, using the whole context, and not just a fragment.

Like I said, the context is so blunt/obvious that by conjuring excuses you’re doing nothing but trolling; frivolously at that.

I don’t want noscript in mozilla’s hands, it’s better that it’s independent and constantly tweaked by enthusiast rather than in control of google-lovers who might have an interest to at some point allow some stuff we the user would not want to allow.0nce too much is under some central control the road to disaster is nicely paved.